This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can't Access Firewall while Connected to GP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't Access Firewall while Connected to GP

zedexxx
L1 Bithead

‎08-09-2024 05:27 PM

Hi Everyone,

 

We have a working GP setup and our users connect to the VPN without issues. However, when trying to access the firewall via its management IP while connected to the GP, we cannot reach the firewall. Other network resources specified in the access routes are reachable. Here are the troubleshooting steps I conducted:

 

1. Ping, SSH, Access through HTTPS the MGMT IP of Firewall: Fail

2. I made sure that the Interface MGMT Settings have the remote user's IP is included in the permitted IP address. (HTTPS, SSH, PING also ticked)

3. I made sure that the Firewall's Mgmt IP is included in the Split Tunnel - Access Route configuration in the GP Configurations (As well as in the Security Policy in Destination Addr.)

4. I checked the logs, specifying the source addr and destination addr, it says "allow" but it shows Application Incomplete when accessing the GUI of Firewall.

5. I made sure that there is a route from the remote user to the IP Addr of the Firewall by using "route print"

6. I also tried disabling the local windows defender firewall of the remote user, disabling the IPv6 of the PANGP Network Adapter, and tried manually installing different versions of GP App. Result: Fail

 

Are there any missing steps that I haven't tried yet?

0 Likes Likes
2 REPLIES 2

Edsnow
L3 Networker

‎08-13-2024 06:40 PM

Verify the routing between the your management interface subnet and the Vpn subnet. Even though the mgmt interface is part of the firewall it won't act as data interface.

 

If the application shows as incomplete there is no tcp handshake between the source and destination. 

 

Run the tcpdump in the mgmt interface and try to access to verify the traffic is reaching to the respective interface. Refer below kb for packet capture on mgmt interface. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

 

 

Edsnow

Please help out other users and “Accept as Solution” if a post helps solve your problem !

zedexxx
L1 Bithead
In response to Edsnow

‎08-14-2024 06:57 PM

Thanks for your response,

 

The issue is now solved. Turns out that we had to adjust our pbf policies.

  • 628 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks